Analysis
-
max time kernel
189s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2022 11:06
Static task
static1
Behavioral task
behavioral1
Sample
f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe
Resource
win7-20220812-en
windows7-x64
25 signatures
150 seconds
General
-
Target
f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe
-
Size
360KB
-
MD5
6c140e3b55a489e5d497ef9609587443
-
SHA1
7fcf23f026d6dace23700ed0e61135b9600027a7
-
SHA256
f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e
-
SHA512
8c6791e1bbab1e4fdd0dcc8c2c8c38aaac3a8e7b422f3211f10b76965474a3091ce60ed092b4e98688c7fa4f02452d5ae8a4fa9b6856fdd0a88d92c941f3238b
-
SSDEEP
6144:S/nuDm9tOBe8FBXm5kCmTJsT6+jk1iXKKe3p7tg4TTsz:SvugwBe8FQY1ue57tgS4z
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "JPEG" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\InfoTip = "Size: 2.56 MB" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Explorer = "C:\\Windows\\System32\\Explorer.sm2" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe -
Disables Task Manager via registry modification
-
resource yara_rule behavioral2/memory/4452-133-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/4452-134-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/4452-136-0x0000000002310000-0x000000000339E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Lao Antivirus = "C:\\WINDOWS\\NOTEPAD.EXE" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened (read-only) \??\Q: f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened (read-only) \??\S: f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened (read-only) \??\Y: f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened (read-only) \??\E: f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened (read-only) \??\I: f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened (read-only) \??\J: f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened (read-only) \??\W: f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened (read-only) \??\L: f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened (read-only) \??\R: f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened (read-only) \??\T: f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened (read-only) \??\V: f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened (read-only) \??\F: f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened (read-only) \??\M: f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened (read-only) \??\O: f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened (read-only) \??\P: f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened (read-only) \??\U: f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened (read-only) \??\X: f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened (read-only) \??\Z: f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened (read-only) \??\G: f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened (read-only) \??\H: f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened (read-only) \??\N: f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "9" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe -
Modifies registry class 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\InfoTip = "Size: 2.56 MB" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\InfoTip = "Size: 7.24 MB" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sm2 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sm2File\shell\open\command f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sm2File\shell f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sm2File\shell\open f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sm2File\DefaultIcon f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sm2File\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,1" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sm2\ = "sm2File" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sm2File\shell\open\command\ = "C:\\Windows\\SysWow64\\drivers\\etc\\services.exe" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "JPEG" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sm2File f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe Token: SeDebugPrivilege 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4452 wrote to memory of 784 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 9 PID 4452 wrote to memory of 788 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 28 PID 4452 wrote to memory of 64 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 11 PID 4452 wrote to memory of 2480 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 38 PID 4452 wrote to memory of 2500 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 42 PID 4452 wrote to memory of 2740 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 52 PID 4452 wrote to memory of 2596 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 54 PID 4452 wrote to memory of 1080 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 56 PID 4452 wrote to memory of 3268 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 55 PID 4452 wrote to memory of 3364 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 58 PID 4452 wrote to memory of 3432 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 57 PID 4452 wrote to memory of 3528 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 78 PID 4452 wrote to memory of 3676 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 77 PID 4452 wrote to memory of 1152 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 63 PID 4452 wrote to memory of 4112 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 62 PID 4452 wrote to memory of 784 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 9 PID 4452 wrote to memory of 788 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 28 PID 4452 wrote to memory of 64 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 11 PID 4452 wrote to memory of 2480 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 38 PID 4452 wrote to memory of 2500 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 42 PID 4452 wrote to memory of 2740 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 52 PID 4452 wrote to memory of 2596 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 54 PID 4452 wrote to memory of 1080 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 56 PID 4452 wrote to memory of 3268 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 55 PID 4452 wrote to memory of 3364 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 58 PID 4452 wrote to memory of 3432 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 57 PID 4452 wrote to memory of 3528 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 78 PID 4452 wrote to memory of 3676 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 77 PID 4452 wrote to memory of 4112 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 62 PID 4452 wrote to memory of 784 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 9 PID 4452 wrote to memory of 788 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 28 PID 4452 wrote to memory of 64 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 11 PID 4452 wrote to memory of 2480 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 38 PID 4452 wrote to memory of 2500 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 42 PID 4452 wrote to memory of 2740 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 52 PID 4452 wrote to memory of 2596 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 54 PID 4452 wrote to memory of 1080 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 56 PID 4452 wrote to memory of 3268 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 55 PID 4452 wrote to memory of 3364 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 58 PID 4452 wrote to memory of 3432 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 57 PID 4452 wrote to memory of 3528 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 78 PID 4452 wrote to memory of 3676 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 77 PID 4452 wrote to memory of 4112 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 62 PID 4452 wrote to memory of 784 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 9 PID 4452 wrote to memory of 788 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 28 PID 4452 wrote to memory of 64 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 11 PID 4452 wrote to memory of 2480 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 38 PID 4452 wrote to memory of 2500 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 42 PID 4452 wrote to memory of 2740 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 52 PID 4452 wrote to memory of 2596 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 54 PID 4452 wrote to memory of 1080 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 56 PID 4452 wrote to memory of 3268 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 55 PID 4452 wrote to memory of 3364 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 58 PID 4452 wrote to memory of 3432 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 57 PID 4452 wrote to memory of 3528 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 78 PID 4452 wrote to memory of 3676 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 77 PID 4452 wrote to memory of 4112 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 62 PID 4452 wrote to memory of 784 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 9 PID 4452 wrote to memory of 788 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 28 PID 4452 wrote to memory of 64 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 11 PID 4452 wrote to memory of 2480 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 38 PID 4452 wrote to memory of 2500 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 42 PID 4452 wrote to memory of 2740 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 52 PID 4452 wrote to memory of 2596 4452 f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe 54 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2500
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2740
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe"C:\Users\Admin\AppData\Local\Temp\f2819d1e06196e6c32e4d30e445b981f457e1218f95ef2d33fe91ec4b8eddd0e.exe"2⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4452
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3268
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:1080
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3432
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3364
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4112
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1152
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3676
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3528
Network
MITRE ATT&CK Enterprise v6
Persistence
Change Default File Association
1Hidden Files and Directories
2Modify Existing Service
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Bypass User Account Control
1Disabling Security Tools
3Hidden Files and Directories
2Modify Registry
12